Pandurangan says JetBlue sent him an automated email reply when he refunded a plane ticket. The email was from TravelBank and it contained both his plaintext password and account number.

“The fact that they have not even followed basic security procedures is really scary,’ he writes. “Since many people use the same password all over the place, this is especially dangerous — having a very complex password may prevent hackers from figuring out your password from a hash, but is useless if they’re stored as plain text.”

Passwords should never be stored as plaintext, he explains. They should be stored as something much more secure. Because if someone hacks into a database, every user’s password can be compromised. It also means that any employee with access to the database can look up anyone’s password.

Pandurangan pledged to never use JetBlue again until the problem is fixed. But per Pakman’s complaint, JetBlue hasn’t made any moves to store passwords more securely.

Panduraangan provided the text of the email he received from TravelBank/JetBlue. Pakman says it’s similar to the one he received:

We are working to resolve this issue, which is limited to the following circumstance:

We create a travel bank account to provide our customers with a service credit, which can be used towards the air portion of a JetBlue flight or Getaway package. JetBlue proactively deposits these vouchers into a “travel bank” for customers, and notifies them via email, based on the email we have on file with their travel record.